如何防止其他用户在 cakephp3 中编辑我的个人资料

Question

我有一个使用 cakephp3 的简单程序，当我尝试将其直接放入浏览器时：

http://localhost/sample/users/edit/82

它直接进入登录页面。然后登录后，即使该配置文件不是当前用户登录，我的代码仍然可以编辑配置文件。

下面是我的编辑代码

public function edit($id = null)
{
    $user = $this->Users->get($id, [
        'contain' => []
    ]);
    if ($this->request->is(['patch', 'post', 'put'])) {
        $user = $this->Users->patchEntity($user, $this->request->data);


                if ($this->Users->save($user)) {
                    $this->Flash->success(__('The user has been saved.'));
                    return $this->redirect(['action' => 'index']);
                } else {
                    $this->Flash->error(__('The user could not be saved. Please, try again.'));
                }

    }
    $this->set(compact('user'));
    $this->set('_serialize', ['user']);
}


edit.ctp

<div class="actions columns large-2 medium-3">
<h3><?= __('Actions') ?></h3>
 <ul class="side-nav">
    <li><?= $this->Form->postLink(
            __('Delete'),
            ['action' => 'delete', $user->id],
            ['confirm' => __('Are you sure you want to delete # {0}?', 
  $user->id)]
        )
    ?></li>
    <li><?= $this->Html->link(__('List Users'), ['action' => 'index']) ?>
  </li>
</ul>

    <div class="users form large-10 medium-9 columns">
     <?= $this->Form->create($user) ?>
   <fieldset>
      <legend><?= __('Edit User') ?></legend>
      <?php
          echo $this->Form->input('username');
          echo $this->Form->input('password');
      ?>
    </fieldset>
<?= $this->Form->button(__('Submit')) ?>
  <?= $this->Form->end() ?>
</div>

Answer 1

您必须检查现有用户是否正在尝试更新他/她的个人资料。你可以这样做。

所有这些都在您的编辑方法之上

public function edit($id = null)
{
  $logged_user_id=$this->Auth->user('id');

  if($logged_user_id==$id){
  $user = $this->Users->get($id, [
        'contain' => []
    ]);
    if ($this->request->is(['patch', 'post', 'put'])) {
        $user = $this->Users->patchEntity($user, $this->request->data);


                if ($this->Users->save($user)) {
                    $this->Flash->success(__('The user has been saved.'));
                    return $this->redirect(['action' => 'index']);
                } else {
                    $this->Flash->error(__('The user could not be saved. Please, try again.'));
                }

    }
    $this->set(compact('user'));
    $this->set('_serialize', ['user']);
   } else {
                    $this->Flash->error(__('You are not allowed to do this.'));
     }
}

Answer 2

就我而言，就像 ndm 所说，我不使用会话，这就是我所做的（希望它有所帮助）：

public function edit($id = null)
{

    if(!is_null($this->Auth->user())): // if the user is logged
      if(is_null($id)) { $id = $this->Auth->user('id'); }
      if($this->Auth->user()['group_id']<>1): // in my case group 1 is for the administrator group, i let them edit profile
        $id = $this->Auth->user('id'); // in this case, if the user is not an administrator, id will always be his "user id"
      endif;      
    endif;

    if ($this->request->is(['patch', 'post', 'put'])) {
        $user = $this->Users->patchEntity($user, $this->request->data);
        if ($this->Users->save($user)) {
            $this->Flash->success(__('The user has been saved.'));

            return $this->redirect(['action' => 'edit', $id]);
        }
        $this->Flash->error(__('The user could not be saved. Please, try again.'));
    }

    $this->set(compact('user'));
    $this->set('_serialize', ['user']);
}